Merge pull request #7 from richlamdev/unbound-role

inital commit of unbound role

Author: richlamdev

roles/unbound/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload unbound
+  service:
+    name: unbound
+    state: restarted

roles/unbound/tasks/dynamic.yml

@@ -0,0 +1,19 @@
+---
+# - name: Set _unbound user as owner for /var/unbound/etc folder
+#   file:
+#    path: /var/unbound/etc
+#    owner: _unbound
+#    group: "wheel"
+#    mode: "0755"
+
+- name: deploy unbound.conf template configuration file
+  template:
+    src: unbound.conf.j2
+    dest: "/etc/unbound/"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  notify: reload unbound
+
+- name: restart unbound service unconditionally
+  meta: flush_handlers

roles/unbound/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: static file configuration
+  import_tasks: static.yml
+
+- name: dynamic file configuration
+  import_tasks: dynamic.yml

roles/unbound/tasks/static.yml

@@ -0,0 +1,45 @@
+---
+- name: Update APT package cache
+  apt:
+    update_cache: yes
+    cache_valid_time: 3600  # Cache is valid for 1 hour
+
+- name: Install Unbound and ca-certificates
+  apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - unbound
+    - unbound-anchor
+    - ca-certificates
+  loop_control:
+    label: "{{ item }}"
+
+- name: Ensure /var/lib/unbound directory exists
+  file:
+    path: /var/lib/unbound
+    state: directory
+    owner: unbound
+    group: unbound
+    mode: '0755'
+
+- name: Download the latest root.hints file
+  get_url:
+    url: https://www.internic.net/domain/named.root
+    dest: /var/lib/unbound/root.hints
+    owner: unbound
+    group: unbound
+    mode: '0644'
+    force: yes
+
+- name: Install root.key from IANA using unbound-anchor
+  shell: '/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key'
+  register: rootkey
+  failed_when: rootkey.rc not in [0, 1]
+  changed_when: "'success' in rootkey.stdout or rootkey.rc == 0"
+
+- name: Ensure Unbound service is enabled and running
+  systemd:
+    name: unbound
+    enabled: yes
+    state: started

roles/unbound/templates/unbound.conf.j2

@@ -0,0 +1,134 @@
+# /etc/unbound/unbound.conf
+#
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/examples/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
+
+
+
+server:
+        verbosity: 1
+        #logfile: "/var/unbound/etc/unbound.log"
+        #logfile: "/var/log/unbound.log"
+        use-syslog: yes     #overrides logfile setting above
+        log-queries: yes
+        log-replies: yes
+        log-tag-queryreply: yes
+        port: 53
+        do-ip4: yes
+        do-ip6: no
+        do-udp: yes
+        do-tcp: yes
+        directory: "/etc/unbound"
+        #chroot: "/var/unbound"
+        interface: {{ host_ip }}
+        interface: 127.0.0.1
+
+        access-control: 0.0.0.0/0 refuse
+        access-control: ::0/0 refuse
+        access-control: {{ network_addr }}/24 allow
+        access-control: 127.0.0.0/8 allow_snoop
+        hide-identity: yes
+        hide-version: yes
+        harden-glue: yes
+        root-hints: "/var/lib/unbound/root.hints"
+        auto-trust-anchor-file: "/var/lib/unbound/root.key"
+        val-clean-additional: yes
+
+        tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
+
+        prefetch: yes
+
+        minimal-responses: yes
+        qname-minimisation: yes
+        rrset-roundrobin: yes
+        ssl-upstream: yes
+        use-caps-for-id: yes
+        harden-dnssec-stripped: yes
+        cache-min-ttl: 3600
+        cache-max-ttl: 86400
+
+        private-address: 192.168.0.0/16
+        private-address: 172.16.0.0/12
+        private-address: 10.0.0.0/8
+
+        private-address: 0.0.0.0/8
+        private-address: 100.64.0.0/10
+        private-address: 127.0.0.0/8
+        private-address: 169.254.0.0/16
+        private-address: 172.16.0.0/12
+        private-address: 192.0.0.0/24
+        private-address: 192.0.2.0/24
+        private-address: 192.88.99.0/24
+        private-address: 198.18.0.0/15
+        private-address: 198.51.100.0/24
+        private-address: 203.0.113.0/24
+        private-address: 224.0.0.0/4
+        private-address: 240.0.0.0/4
+        private-address: 255.255.255.255/32
+
+
+# number of threads to create. 1 disables threading. This should equal the number
+# of CPU cores in the machine. Our example machine has 4 CPU cores.
+        num-threads: 4
+
+## Unbound Optimization and Speed Tweaks ###
+
+# the number of slabs to use for cache and must be a power of 2 times the
+# number of num-threads set above. more slabs reduce lock contention, but
+# fragment memory usage.
+        msg-cache-slabs: 8
+        rrset-cache-slabs: 8
+        infra-cache-slabs: 8
+        key-cache-size: 32m
+        key-cache-slabs: 8
+
+# Increase the memory size of the cache. Use roughly twice as much rrset cache
+# memory as you use msg cache memory. Due to malloc overhead, the total memory
+# usage is likely to rise to double (or 2.5x) the total cache memory. The test
+# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
+        rrset-cache-size: 512m
+        msg-cache-size: 256m
+
+# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
+# the kernel buffer larger so that no messages are lost in spikes in the traffic.
+        #so-rcvbuf: 1m
+        #so-rcvbuf: 32m
+
+        outgoing-range: 32768
+        num-queries-per-thread: 4096
+        infra-cache-numhosts: 100000
+
+
+## Unbound Optimization and Speed Tweaks ###
+
+
+# Use an upstream forwarder (recursive resolver) for specific zones.
+# Example addresses given below are public resolvers valid as of 2014/03.
+#
+forward-zone:
+        name: "."                           # use for ALL queries
+        forward-tls-upstream: yes
+        forward-addr: 9.9.9.9@853#dns.quad9.net
+        forward-addr: 149.112.112.112@853#dns.quad9.net
+        forward-addr: 1.1.1.2@853#cloudflare-dns.com
+        forward-addr: 1.0.0.2@853#cloudflare-dns.com
+        forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org
+        forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org
+        forward-addr: 176.103.130.130@853#dns.adguard.com
+        forward-addr: 176.103.130.131@853#dns.adguard.com
+        #forward-addr: 45.90.28.0#b978e6.dns1.nextdns.io
+        #forward-addr: 45.90.30.0#b978e6.dns2.nextdns.io
+
+
+        #forward-addr: 185.222.222.222@853 # dns.sb primary
+        #forward-addr: 185.184.222.222@853 # dns.sb secondary
+        #forward-addr: 8.8.8.8@853         # google primary
+        #forward-addr: 8.8.4.4@853         # google secondary

roles/unbound/vars/main.yml

@@ -0,0 +1,5 @@
+# replace network interface as required.
+# within vim - :3,5s/re0/em0/g  OR  :3,5s/em0/re0/g
+host_ip: "{{ ansible_em0['ipv4'][0].address }}"
+network_addr: "{{ ansible_em0['ipv4'][0].network }}"
+subnet_mask: "{{ ansible_em0['ipv4'][0].netmask }}"